In episode 79 of The Cyber5, we are joined by senior security practitioner, Garrett Gross.

We discuss the age old problem of spear phishing and why enterprises still struggle to fix this problem. We talk about the critical processes and technologies necessary to defend against spear phishing, including robust training programs and endpoint detections. We also cover how to use the telemetry collected from spear phishing and integrate this with outside threat intelligence to be useful.

Five Takeaways:

1. Security Teams Need to Make a Sensor Network from the Employee Base

Attackers win consistently when they get employees to click malicious spear phishing links. They use social engineered communications, usually over email, that appear legitimate but have malicious intent to trick a user to open a document or click on a link to obtain sensitive information about a user.

Security training is boring and employees outside of security don’t pay attention to the annual reminders. Real education must be relatable to employees so that they can identify when a malicious link is deployed against them. The most critical training a security team can do is get a sensor network from their employees to spell out the ripple effects to employees for PII and intellectual property theft after a malicious link is executed.

• Experts Must Create Critical Processes and Use Technologies Defend Against Spear Phishing

A closed door approach to security is not efficient. Experts transparently interacting with the employee base defends against spear phishing. A phased approach will be necessary to assess the necessary logging in an automated way as this takes months to configure and properly alert. The building blocks of this approach are:

1. An endpoint detection and response solution (EDR) is the most important tool to defend against spear phishing.
2. An automated way to report incidents should be considered so users are not waffling on whether or not to report incidents. It should go without saying, but no one should get in trouble for reporting an incident.

• Spear Phishing Typically Impersonates Executives; Executives Should Conduct PII Removal and PII Poisoning

The sophistication and reconnaissance of advanced adversaries are challenging to detect, particularly when bad actors impersonate executives. Verifying information over the phone is often needed to circumvent advanced attempts to social engineer an employee base. Further, publicly available information about executives should be scrubbed and removed from the internet on a routine basis.

• Use of Spear Phishing Telemetry with Threat Intelligence for Small and Medium Size Business

Small companies with limited security personnel will be fortunate to get employees to get banners saying emails are coming from an external source. They will spend a small part of their day conducting internal threat hunting. They won’t be able to conduct external threat hunting to determine the sophistication of a spear phishing campaign. They need to partner with managed intelligence providers to do external threat hunting effectively.

• “Defensibility” Measures are Critical Success Metrics: Threat Intelligence and Red Teams

Quantifying reports and solutions that show how a security team is systematically reducing risks that affect their business is the only way budgets will get increased by the board. To prove that various attacks will matter to a business, threat intelligence with subsequent red teaming are the primary ways to illustrate the issues to an executive team.